Uber paid off hacker using bug bounty programme

Andrew Cummings
December 7, 2017

A Florida man, who is 20, was responsible for the data breach a year ago at Uber Technologies and was paid by the company to destroy that data through what is known as a bug bounty program that is normally used in identifying vulnerabilities, said three sources who are familiar with this situation.

Uber never revealed any information about the hacker or how it paid him the money, but it later confirmed that 2.7 million United Kingdom customers had their personal details stolen, as regulators stepped in to investigate the breach.

However, hacks at Reuters have found out that Uber made the payment past year through its bug bounty service.

Sources have now told Reuters that payment to the hacker was made through its bounty program, which monetarily rewards those who find bugs in the company's software and applications.


It remains unclear who made the final decision to authorize the payment to the hacker and to keep the breach secret, though the sources said then-CEO Travis Kalanick was aware of the breach and bug bounty payment in November of previous year. Since that time, CEO Travis Kalanick stepped down and was replaced by Dara Khosrowshahi in August.

In order to cover the attack up, Uber used its bug bounty service hosted by HackerOne.

The culprit's message was forwarded to Uber's "bug bounty" team and ultimately made its way to HackerOne, a third-party company that awards researchers for revealing security flaws in clients' products. Uber spokesman Matt Kallman declined to comment on the matter.

Apparently, the hacker had to sign a non-disclosure agreement to keep his trap shut about the whole incident, and Uber sent cybersecurity boffins around to make sure the swiped data was indeed purged from his computer.


But the firm caused much anger when it was revealed it had actually paid the hacker $100,000 to hide the information for over a year. But complicated scenarios can emerge when dealing with hackers who obtain information illegally or seek a ransom. He did say that in every case when there is a bug bounty award it processes through them. It is unclear whether Clark informed Uber's legal department, which typically handled disclosure issues.

The revelation has gotten the startup in hot water with regulators and prosecutors.

Another three members of Uber's security subsequently resigned from their roles last week. One of them, physical security chief Jeff Jones, later told others he would have left anyway, sources told Reuters.


Other reports by iNewsToday

FOLLOW OUR NEWSPAPER